Skip to main content
9:00 am
information coming from the government because it does work both ways. >> well, looking at that, and you said a blanket approach to regulation wouldn't work here do you think there's room for each agency, talk about the energy department, faa, to expand the regulations? or maybe what you're talking about offer more incentives, insurance has been discussed, federal, earning more federal contracts if you keep your systems up to a certain level security. >> indemnity on pc would be of benefit to industry, to be able to have that capability if they comply with a risk-based standards. and that's really what we're talking about. when we look at breaching of data, for instance, in our team, and verizon can we as a process called evidence-based risk management. so it's not what we think is out the.
9:01 am
it's what we actually identify and then what we can correct. so if we take that type of approach between government and industry and not try to gold plate everything and have the perfect network, but have a risk-based management approach that says i can assume risk at this certain level based on the consequences of a breach, then we could put programs and policies in place that enable security as opposed to inhibit security. >> i think that organizations are looking for guidance and standards but i think that there's a lot of confusion around this area. i think that industries, certainly they differ, and there are different capabilities within industries and different issues surrounding industries but they're looking for guidance and they're looking for direction and leadership to i think that these issues have been bouncing around. these are not new issues. they have up and up until for a year or two years. these issues have been on a hill for over five years. so they've been bouncing around the halls. it's a very complex issue and
9:02 am
understand why people are having a lot of difficulty because there are many different constituencies, but they're looking for guidance and are looking for standards and they want to be told what to do. not necessary from a regulatory perspective, but from a leadership perspective. they need to get more information from government. they need to get a better understanding of what the threats are big when you understand what the threats are you can then start to manage risk better. and they are looking to see that guidance so that they can be in a better position to be contributors to the solution. >> my understanding is that the energy department is doing just that, working with dhs and the white house to come up with a model, a baseline, maturity model. and i want to know, so looking at the financial services sector, what kind of standards need to be put in place? >> i see the financial services sector as one of those sectors that to me seems to be out in
9:03 am
front. they have been involved in information sharing well before the cyber issue became an issue. going back to fraud, check fraud and those sorts of things. they have been sharing information. they have a very robust information sharing program. i've seen threat indicators and threat signatures and threat actors identified and shared. when you look at organizations that are true competitors, competing against each other for every dollar, two ouch we see them sitting around the table and sharing freely information about the common threat that they all face, it's encouraging. i'd like to see that as a model and other sectors. other sectors are not necessary as robust as that. they don't have that same free information flow. this information is being shared for the most part human to human. and the fact of the matter is these threats are occurring hundreds of times a day, thousands of times a day, millions of times. it can't be done human to human.
9:04 am
it's a great step, a great forward progress, but that's not the be all end all. it has to be at the speed of network, not at the speed of humans. >> looking ahead, after the election, how do you see cybersecurity advancing under a romney administration, and how do you see it advancing under continued obama administration? and what is the government supposed to do, what might happen if they can't get legislation passed? >> i wouldn't put it in a box under each administration. this is an issue that is a significant threat to our nation. is a threat to our financial security. it's a threat to our national security. it's got to be taken seriously regardless of who is in office. ideally what i would like to see is somebody in the white house,
9:05 am
in office perhaps, that is responsible for coordinating this across the entire government. as a direct report to the president of the trade. somebody who's got the authority of the president of the united states to make decisions, and to coordinate this across the sectors. there's no single government agency that has the ability, the capacity to respond to this or to work this. people talk about nsa all the time, and general alexander i think is a real patriot is someone who cares about this country and he's got great capability, but that is one piece of the solution. somebody needs to coordinate that across the entire, the whole of government, and that, regardless of the administration come in my opinion, is going to be the best step forward for us to take after november. >> i used to joke when asked this question that there is no single department or agency that has what we call title vii date authority. you know, that is 10, 18 and 50 that can actually approach the
9:06 am
cyber domain. so, and you look at the approach we are taking, it has to be a joint effort marshaling all of the authorities and responsibilities of the federal government rings to bear. in addition to leveraging the capabilities the private sector that has a unique position in owning and operating most of these industries that we were referring to. so without the capability of having a council type approach where we have government leadership, and i shone mission early, it's very important direction specific, requirements, standards, all those issues are part of what the government adds to the capability. and then the actual infrastructure itself in identifying and operating in a secure environment. that's were industry comes into play. so i believe this partnership needs to be extended. we did in the physical domain for years under the critical infrastructure protection, cpac,
9:07 am
advisory council that was created to address these 18 sectors. i think we can do that again moving in the future. i don't want to speak for shone but i noticed before, working under the confidence of national security initiative under the previous administration, nothing changed by the current administration. i don't assume anything will change in future because of administration. because cyber is a continual. it's not an issue. it's not an element to get something we have to address ongoing. and if you look at the advances that we made under the sea mci and the changes that we made, i think i continuing that capability it will enhance our awareness, enhance our capabilities. >> you talk about the need for sharing information, is there -- one of the stipulations, and this is a sticking point, was what laws should be passed for
9:08 am
sharing information, for protecting privacy and making sure industry isn't held liable for sharing information. about breaches that might have affected its customers. so if there's no legislation, what can agencies still do? where can they improve and trying to share information? >> currently secretary napolitano has the authority under the protection of critical infrastructure information, but a company can voluntarily submit information and they cannot be exposed to foia. it cannot be exposed to regulatory requests. and that data can be protected by, under the secretary's current authorities, and enable government to work with industry to address risk, to create actionable information which we refer to as actionable intelligence so that owners and operas can take the national -- the necessary steps. it can be derived from
9:09 am
classified sources. it can be provided by private sector but it can be provided by other departments and agencies. so that currently exist. expanding the awareness of that and expanding the ability to share i think is something we should focus on. >> you said other agencies can share information the on dhs. could industry obtaining some classified intelligence from the pentagon? >> so what happened under conference of national cybersecurity initiative number five, which took the federal departments and agencies cyber centers and started a coordination effort of which the national cybersecurity integration center henceforth known as nccic was really the focal point for gathering that information. so on that watch for right now you have representatives with full security clearance up to the top secret level from energy compass, financial services companies, water covered, telecommunications companies sitting there next to intelligence analysts, sitting
9:10 am
next to government cyber and wisdom sitting next to secret service agents and fbi agents so they're all sharing the information in near real-time, machine to machine speed, not necessarily just human to human. so they can get that overall operational picture to identify cyber risk. and then it becomes actionable because the energy sector person sits there and says, that's important to me in this way, and i need that information to protect my sector which may be different than what the water person sees. so than by doing that and collecting and sharing classified information them unclassified information, per type -- proprietary information, we have a better idea of what activity is and how the activity propagates through these various sectors. so it's something that can be enhanced. is something that can be expanded on that is something that currently exists. >> so that is an effective system, capability to provide the very similar information sharing to what congress would
9:11 am
like to legislate. is there an awareness problem? >> i think it's an evolutionary problem. so we started the capability, and i did have the honor of serving as the first director, and now we need to advance that capability. we need to extend. i said with 18 sectors. the last hole i think they're six or seven sectors actively represented so we need to expand the. we need to ensure that the public is aware that this is a resource, a national level resource where law enforcement, military, intelligence community and homeland security all come together in one location to generate knowledge. so i used to tell folks, you know, i don't want to share information. we've been sharing information for decades and it really doesn't meet our objectives. we want to develop knowledge so each person in their brains their necessary perspective to give us a total operational
9:12 am
picture, and data calls we get the information we need to provide industry what they need to be successful. >> one quick question for you, and i want to let you comment and then we will go to questions. is verizon a participant in that? >> absolutely. >> is there anything you wanted to add? if there is no legislation. i appreciate what sean said about nccic and initiative five under the, not just of information, but as actionable intelligence. it's not about information sharing. if you share information, you become overwhelmed. there's too much out there. you have to prioritize and you've got to share actionable information. when i sit actionable, i think a system that we've operated under for so many years, which primary is one of them reduction, which is important if we have to try to reduce vulnerabilities but that's not the answer and that is failing. because we been doing it to quite frankly the government is doing better than it's ever done ever. the private sector is doing better than it's ever done ever,
9:13 am
and the awareness is raised and people are getting it. and whether there's been legislation or not, people are talking about the they are funding the government. we're doing better than we ever have. and we are failing. we are falling farther behind. even though we have had many successes we are falling farther behind because we're focusing on vulnerabilities and we're basing this on an inherently insecure infrastructure. we cannot protect every single door and every single window. it can't be done. that networks are too fast. we have mobile devices that are input into the system an ipod. everything a person right here in this room has a computer in the personal on their belt that's more powerful than the computer to put a man on the in 1969. it's inherently vulnerable and insecure. we need to focus on the threat and we need to look at who the actors are and how do we deter these actors, how do we make changes in her system. there needs be a paradigm shift. what sean is talking about, and
9:14 am
now way more company are starting to do, the private sector needs to step up and the private sector needs to start taking action on the network that helped to identify through actionable intelligence, identify who the threat actors are, and then target this thread actors. >> more pro-action. yes, desolate have a microphone? >> i'm michael nelson, i analyze technology for bloomberg government. i've probably been to two dozen cybersecurity meetings in the last two years, and every meeting i hear private public partnership. i hear information sharing from government to industry, industry to government. what i don't hear is very much a discussion about more information with the general public. one of the most useful things that's happened in the last five years, this whole area has been sharing information about security breaches with everybody. because that's what huge
9:15 am
pressure on companies to take action to secure the resources and to make sure that credit card still go walking out the door. do we need to take a totally different approach? you mention security through obscurity which is still a model of most of the security agencies in town. is there a chance we can move to like the open source community that says too many eyes any bug is shallow. let's stop open source software the applicant look at and probe ethics. let's tell people what real threats are out there so they can start making choices and see which companies are responding in which are not. i think the pressure of the public would be a lot more, would be an incredibly effective lever and am wondering if there's any chance we could move to the new kind of openness regime rather than the still, this idea that special people have the information and they will share it. >> if i may start, one of the things that verizon does each
9:16 am
year is produces a data breach investigation report. that specifically quantifies breaches, identifies by sector and also identifies by the intrusion activity so that people understand that it's a hack against a server type system as opposed to a cyber event. and i couldn't agree with you more, without giving context to the general public it's very difficult for most folks to understand cyber. i think the governments efforts right now, i think one october is money which is national cybersecurity awareness month, it's great to have a month dedicated to anything, it has to be an ongoing campaign. it has to be something that continues throughout the year. that said, the government does share specifics on vulnerabilities. there's a national database that has common vulnerability and immigration. that's just basic way to
9:17 am
classify vulnerabilities whether it's with soccer, hardware, products, iphones, ipads and i do want to be vendor specific, but all of these phone abilities are listed in this massive, tens of thousands of a vulnerabilities listed in this database. now, what do you do with that once you have? how do you, as john mentioned earlier, how do you make that actionable for not only industry, but for the general public? so where is the why should i care in there? dazzler tried to do through this education campaign, he developed a why you should be concerned and why you should take the necessary steps to protect yourself. don't expect someone else to protect you. the focus there and a cyber domain is protecting yourself. >> let me add to that, because i think most people in america, probably not industry but i think the average american would be shocked to know that dhs is responsible for
9:18 am
governments they could have the authority and responsibly to protect dot gov. .mil. what government agency has responsibility to protect dot com. matters not a government -- if a foreign government dropped a bomb on some company headquarters here, the nazis would probably scramble planes and the present would be on the phone with some had a state somewhere. but when the same company gets hacked and loses two terabytes of data, $1 billion worth of r&d to continue taking the, nobody does that. that doesn't happen. that's got to change. that is what has to change. you all right. nobody knows about it. there's a lot more that can be done. when you talk by information sharing there's a lot more that the government can provide to the general public about what this means.
9:19 am
[inaudible] >> and the reason i did want to take on a particular vendor is because being a company, whether it's in information technology cover, communications coming, power can become is like the old adage, if your motorcycle ride, there's to type of writer, going down, and then down and going down again, okay? that's the same thing on an environment inside. easier been hacked or you're about to be hacked and you just don't know it yet. one of the things were identified this past year in our annual report was that 90% of the companies that were breached were notified by a third party. so someone else, in 53% of the cases it was law enforcement agencies that notified that company that it had a data breach. and for the time they were originally breached to the time it was recognized is not measured in seconds and is not measured in minutes. it's measured in weeks and
9:20 am
months. >> and years spent in a some extreme cases, years. so this is the issue that we need to address. when we talk about an awareness campaign it's not about posters and information overload. it's about providing actionable intelligence so i can do something about it. >> a dvi are that you mention, that's data breach investigation report that verizon puts out early each year, coming out early 2013. and that has information from u.s. government from the secret service and from interpol international investigative agencies. on the frequency of cybercrime and not just financial losses. but the types of breaches without getting into the privacy invasion, doesn't name any of the companies, doesn't name any of the individuals. so i just wanted to clarify what that was. another question. >> you mentioned that if we drop
9:21 am
a bomb on another country drops a bomb on one of our businesses, that very clear violation law, it's an attack, we'll do something about it. one the issues i've heard from officials like general alexander race is that cyber attack has not been defined yet. and that we talk about they have been hacked, by defining cyberattacks, foreign country or someone else has attacked us and we can take action needs to be done. can that be done, does that need to be done internationally? is that a legislative issue? doesn't need to be addressed in this legislation? >> you say cna, so the analogy i use was the bomb which include an attack, but there is see any happening every day. computer network exploitation. let's change the scenario a little bit and a set of dropping a bomb, a county pulls up in 18 wheel truck, since the people inside and walk out with box after box after box of data. they take it down to the --
9:22 am
ahead over to the country with all of our corporate data. cne, computer network exploitation, is cyber espionage but it is occurring every single day. the u.s. has an international cyber strategy that was put out a year and a half ago. that said that the united states recognizes the internet, i'm paraphrasing, the message recognizes the internet as a key national asset. the united states will take all efforts to protect it. including diplomatic, economic and military action. and i just don't see that happening right now. i don't see it happening. it might be happening behind the scenes. i don't see it happening and i think the public needs to see it happening because i can take the corporations in this country see it happening. and i've talked to ceos in this country who have said they are fed up with getting punched in the face over and over and over again and nobody is doing
9:23 am
anything about it. so they want to take their own action. they want to take, step up and they want to take some type of action. i am not suggesting that independent company start to hacked back against other organizations. but i think there's a lot more that they can do two great hostile and firemen on their networks but there's a lot more that they can do to make it more difficult for the adversary to operate in a permissive environment that they currently have. eyed equally to your sitting down with your family, your having dinner and some armed man, an essay to burst through the door with a knife. you can't sit and wait for the police to arrive are there some action that you're going to take to protect your family. and i think companies, what they have, all the data they have accumulated, all the property that they have developed country was built on the backs of their investors. it relates specifically to the client, to their customers, to their employees and they need to take some action.
9:24 am
i'd like to see government take this action. the government doesn't have the capacity right now to do that. the private sector needs to do that. >> thank you. i would describe myself as a number of public that was discussed earlier, to educate myself about cybersecurity. i would like to ask mr. sean forman at the fbi to extend that nice analogy. i was thinking about it when he mentioned about the cost of entry to cybercrime and cyber breaches. about $500. the cost to knife crime is about $5. and get it doesn't happen all that much. i would argue because of -- because of forensics, if somebody does kill someone with a knife you can find them, trace them, try them, jail them and so on. that's something that i haven't heard much year or any media about the consequences for
9:25 am
cybercrime. people get prosecuted, get put in jail. there's an international dimension to all this, if there's an intelligence agency, government sponsored or criminal activity, there's a lot of anonymity in this but is there more that can be done in responsibly to the individual who -- >> yes, it goes back to what i said earlier which is we have invulnerability focused and we need to be threat focused, and threat focus means identifying who the adversary is in taking action against the adversary. in the u.s. we have a few cameras outside stores and in banks and up and down streets. and those video cameras don't prevent crime. they don't stop people from coming in and robbing the bank. what they do is they discourage people from coming in and robbing the bank, or after the fact after they do take those actions they can be identified and there can be actions taken to incarcerate them, to pursue the. we need have the same capabilities in a subset and that's what i suggest that
9:26 am
companies need to do more to help collect actionable intelligence against to the threat actors are. who are the adversaries? how do we identify them? there's a lot more that can be done. part of this intelligence sharing program with the government itself identify who the threat actors are. and for very clear lines to be drawn, part of the cnc i was deterrence but how do we define what the red lines are to our foreign adversaries so that they know if you can't across this link and if you step across this line, this is what the action is going to be. this is what's going to have to. and right now i think what's been defined for them is it's okay, or the actions are going to be minimal, if at all. so there's no barrier. there's no disincentive. if we start taking actions against a specific threat, in my organization and crowd tried to come in looking to to adversary
9:27 am
attributions specifically for that reason that actions can be taken and held, people can be held accountable. organizations can be held accountable. countries can be held accountable for their malicious acts against private citizens, governments around the world who are being victimized. >> i would just add to that that following on what sean said about attribution, and also to the gentleman's question, it's very appropriate. one of the most difficult things we do in a forensic investigation is to take the lessons that we learned and what we know from the physical domain and apply them to cyber. so when you talk about conducting cyber forensics, the fbi has a tremendous track record of conducting, along with the secret service, i don't want to discount their activities as well, was actually prosecuting cyber criminals and bring them to justice. just a year and a half ago, three of the main operators of the botnet, one of the most
9:28 am
botnets of the exfiltration standpoint, it was a joint effort between the fbi and the spanish authorities took a rest of those individuals, to find them, arrest them and prosecute them. that work is ongoing. for each one of those high profile actors, there's hundreds and hundreds of smaller actors using a variety of technology so that we can sit there and disguise where they are operating from. and then it goes back to john's point that we need to spend more time looking at the threat activity, the patterns associated with threat activity coming in how to identify that in an effort. because they don't come in and sign their name in a gas log and say i'm going to steal data today. but there are fingerprints, if you will, digital fingerprints that are left behind that enable us to be more successful in this area. but it's a growing size. cyber forensics is a growing and private. it's not something that we have like csi that you see on tv.
9:29 am
unfortunately. >> that are human beings and all. this is not computers attacking computers. it's human beings that are using computers as a tool, and you can absolutely get back to those individuals who they are or what organizations they represent to take actions against them. >> thank you very much. [applause] >> well, thank you, tremont, and the two johns for the educational session. i think aliya and the two johns is a folk band i heard about. might be touring this summer. thank you both. we're going to continue with the program in interest among. we'll take a short break. the rest of the program is really exciting. we're going to turn to innovation in cybersecurity, in the next panel followed by keynote like andy greenberg was the author of this machine kills secrets.
9:30 am
and you know wikileaks absolute change the landscape in washington for information sharing and cybersecurity so you won't want to miss the. i will see you back here in 10 minutes. thanks. [inaudible conversations] ♪ ♪
9:31 am
♪ ♪ ♪ [inaudible conversations]
9:32 am
>> [inaudible conversations] spent a short break. we expect this event to get back underway in just a few minutes and we'll continue our live coverage on c-span2.
9:33 am
>> [inaudible conversations] >> [inaudible conversations]
9:34 am
>> [inaudible conversations] >> our live coverage from a couple more live events for today. live coverage of a nebraska senate debate that's between democrat bob kerrey and republican derek fisher. an open seat in nebraska created by the retirement of democratic senator ben nelson. we'll have that for you live at noon eastern on c-span, courtesy
9:35 am
of key etd in omaha, nebraska. also will have remarks from the president of yemen on the future of this country in light of security problems and hunger crisis. we will have those comments live for you at went eastern on c-span. tonight more campaign 2012 coverage. a life wisconsin senator they. congresswoman tammy baldwin debating former health secretary tom he comes in who is a republican. the debate is hosted by the wisconsin broadcasters association. it is courtesy of tv in milwaukee. we will have a live for you at 9:00 eastern on c-span. >> [inaudible conversations]
9:36 am
[inaudible conversations] >> [inaudible conversations]
9:37 am
>> a. >> [inaudible conversations] >> this cybersecurity summit is about to get underway. i reminder, i misspoke, it is democratic senator herb kohl retiring in wisconsin. that live debate will be at 9:00
9:38 am
eastern on c-span. this event is scheduled to back underway momentarily. [inaudible conversations] >> [inaudible conversations]
9:39 am
>> [inaudible conversations]
9:40 am
>> [inaudible conversations] >> if everybody could take their seats we're going to get started in just a moment. >> thank you, everybody, for joining us. we will get started with the remainder of our program. not a with adequately frightens you this morning of all the risks that are available to the hackers can we will not talk all of it about cyber innovation. this is something that is getting an increased level of support and focus with efforts like the cybersecurity awareness month and various awards that are going on. today we're going to have to
9:41 am
individuals are going to be interviewed by atlantic media is steve clemons, the washington editor at large of it landed an editor in chief of atlantic life. he also is the former director of the new america foundation and a cybersecurity expert just to set him up for failure. i'm just joking about cybersecurity. he will be interviewing paul nguyen for the knowledge consulting group, and catherine, the associate director of georgetown's institute for law, science and global security. and i apologize if i butchered your last names. we will correct that in the feeds. >> it's great to be with all of you this morning i want to issue an apology if any of you are a twitter follower of mine. i have about 11,000 of them, and i guess yesterday they all got a little telling them that it just seemed and in this fantastic video. if you just clicked right your they could see it. at i think there is of a thousand friends, cycling through, this is the first time, it's ironic that i've ever
9:42 am
fallen for one of the sort of cyber gags. i don't know what information they got from the, but nonetheless i wanted to kind of mentioned it and out myself as someone who is falling prey to the very folks out in cyber land. we have with us as mentioned katherine as executive director of georgetown institute for law, science and global security. she directs the global, george and cybersecurity project, and she also interestingly in the past, work with someone i'm well acquainted with, brent scowcroft from 2002-2006 as counsel to the presidents intelligence advisory board. and the vast catherine to sort represent, she can talk about everything but sort talk about many of the national security dimensions of cyber innovation both on the threat side and the defensive side. we are also joined by paul nguyen. he looks nice and all this but he's one of these guys that if you dig deep into his past he's
9:43 am
a cool hacker. [laughter] he has a hacking pass and he put that past to good use. so we have to who really understand what the cutting edge of what's going on. let me open up, would you think about innovation, i am not an x. or industries by two very much realize, it has been discussed in this morning and perhaps a cliché of the young man in the philippines years ago who hatched the love bug virus. it just seems to me that we have evolved so much of far beyond us you've got stuxnet, major innovation. you still have the paul nguyen after just having fun and hacking into systems. but i would love to get a quick snapshot of how you both see this date like them both in the court world at the national security world of what you think the biggest headlines are. as you do what i want to throw one buys out and get, particularly catherine state, i
9:44 am
would've these in glossy magazines called soviet military power. does anyone remove those? put them out, anyone who is so -- sort of cold war junkie like a was, these were essentially pentagon documents. in retrospect it looks like they're trying to use these to sort of verify budgets. they were snapshots. i collected all of them. they did benchmark from year to year, they told the public what our government was saying we were worried about. so as we benchmark this, i'm interested in cybersecurity as a concept because it seems to me to be the big blob under which there's so much that fits under, that almost become so amorphous and omnipresent, that it becomes so difficult to explain to the public when we have successes, where we haven't, that we should fear, what we should and. someone to start with catherine and then jump to pull.
9:45 am
>> thank you for having me here today. thanks for coming to have this discussion. the topic of discussing the threat, if you will, or the concerns the government has with the public, i think ironically i see from a different perspective i've been thinking more positively about it lately. for instance, 10 years ago there was absolutely no discussion on the it publicly. in the last five years i've seen quite a lot of we have strategies now. with national reports. we have -- >> we have awards. >> yes, we have, one of the reports that talked about the corporate espionage, the prior panel was talking about, inc. it came out with a very important come into report, naming and identifying states that were most concerned with in terms of the corporate espionage. i see an improvement in the transparency in terms of you, benchmarks, letting the public know what are the major
9:46 am
concerns. 10 years ago the government's new the concerns and there was no discussion of it publicly. so i might be more optimistic of it, about it. i think there's also new for discussion of what we term as cybersecurity. i think sean mentioned it and i put it in the same category. shawn henry discussed it in the first about the idea is this falls under the umbrella of national security. so what you're talking about the private sector, the concerns are more of a technological fix two things our state to state responsibility in cyber, cybersecurity doesn't out to come under a national security. >> paul? >> caveat, -- [inaudible] spent a hacker nonetheless. >> i said that with great respect and admiration. >> absolutely. just to take a step back, i was on the ethical hacking site for 12 years.
9:47 am
back then no one cared about it. we get a thing, we were hired. assessed a lot of people. most on the private sector is were my age has been. most recently a lot more on the federal side. but if you look at the evolution, we've improved, absolutely. back then people subnetworks just to stand up networks. they were chopped full of holes. we've gotten better. the one thing that we've learned is that although the technology has changed, a lot of the fundamental issues still kind of linger. applications that are exploding. if you look a mobile device, what's that mean to me? you just increase the attack site. you've given me more opportunity now to find ways to back him into network. or get to your data. so today 12 years later we're still running into the same issues in fortune 500 countries that we run into 12 years ago. think about it. why is that the case? it comes back to human error. the aspects have not increased
9:48 am
security into a lot of dimensions of our corporations, our business partners. which it just takes one little hole, sometimes a little while to get into these various networks. so i think in the future we still have some fundamental issues, some blocking and tackling that we have to address from june perspective. first and foremost and driving into technology, and local governments from that perspective. i think we're good at detecting what's known, but there's a lot of unknown that we're not good at detecting unknown still today, but the unknown is one of those things that people talk about exploits. they will happen but was like a -- >> can you give us just a little bit more of a handle, and i know it's hard and complex, but it sounds, if i understand what you just said, you are basically saying that the terrain, despite some advances in filling in holes, the terrain is as
9:49 am
vulnerable in many ways as a was 12 years ago. but it seems to me is the complexity we're here talk about innovation in part or what comes next, what is evolving next, as i would assume you've altered minnesota as tools, talents, skills, microprocessor capacity have grown so dramatically. so you're basically saying on one level, bottom line we have a progress in 12 years on the production side, while the nefarious ms. of the vulnerability -- nefarious and this has grown exponentially. >> i think the opportunity to meet her, on the previous now the opportunity to attack is much greater because technology. i think the one thing that we're looking at is that instead of like and we're very signature-based from a detection standpoint. we've got -- [inaudible] more of an anomaly detection, which is kind of an unknown part. how you're able to identify because a lot of times when we start assessing and firemen, kind of very targeted, very low
9:50 am
noise. you can't really tell that you start seeing certain attributes, it should indicate that eventually we'll get all the way back in. we need to nip that in the bud, where as people talk about advanced threats six, nine months but we worked on cases where that's been the case. have been indications that it was there? absolutely. we just have been able to identify with those characteristics are. >> can you give us any sense of what is happening in the corporate espionage world? in los angeles where we had so many auto designers, for instance, i remember the fbi and there is other parts the government had an interagency task force to censor look at corporate espionage. much of it was cyber. ceiling design, stealing technology over digitally. what's the state of play there right now and? >> i think it was mentioned before, it's still very
9:51 am
persistent. the problem is we don't know about it because there are no regulations allowing, requiring them. and so we're not learning from our own mistakes. we're trying to bottle and shove it under the carpet to its occurring all the time, whether we know it or not. it is to their advantage. we've had cases where foreign countries from a capitalist standpoint have looked at a big, underbidding, from a real estate perspective. those little opportunities are a little more coordinated what they're looking at private industry and government and kind of working together to also target other companies in other countries for capital gain. >> kathleen, can you get the shot on a national security cyclics i know you're project works with los alamos if i'm right. you have been looking and we are working with intelligent supervisory board i would assume across the broader national
9:52 am
security part of the footprint here, what's the state of play with a -- >> first, to pick up on the corporate espionage, mcafee had cannot with a a report a couple years ago trying to quantify the loss, dollar loss from u.s. perspective on just the corporate espionage or the i.t. side of things. and they came up with a number of $1 trillion. so there are those, there are those, there's some economists that have disputed that, but in talking to the economists, and asking them, they come up with numbers of hundreds of billions. i'm not an economist. those numbers really don't make a difference to me, if we're losing hundreds of billions versus trillions. the loss is astronomical in terms of the corporate theft spend you just blew my next line because i was going to share this blog post on 10 predictions for cybersecurity what is going to be the first billion dollar
9:53 am
loss, and this is going to be an insured loss versus $170 million sony playstation laws. so this is just nothing. >> so some of our domestic statutes that have been under review by a lot of people working hard to see how we can a man some of the older laws the need brought up to date because of the changes in technology and new challenges, but yet you have to balance that against the other interest come a mighty law enforcement tools, but with respect to the corporate espionage we have the espionage act but it is very difficult to prosecute under that statute, particularly and the cyber context. two examples, to element of the statue the prosecutor would have to prove in court, you have to give an assessment of what value you attribute to your loss. with i.t. that is often quite difficult to do. you also have to show that you have taken certain measures to secure that ip. we were present and the prior panel talk about security stand.
9:54 am
there is no agreement on what is agreed upon across the sectors one security standard, if you meet your good to go, your intimate that. so how would a prosecutor effectively go to court and hold someone, you know, i.e. a state like china and? >> have there been any prosecutions under the espionage act? >> not ip. the wto is in the process company states, it's not a secret. in fact, read the report by but we know who the major state threats are. maybe they're listening in on following me. i'm not concerned about talking about them publicly, but it's china with respect to corporate espionage. we know it. we have seen a. we been able to do the forensic. they call china out on also other countries but it is a problem. how to deal with it at an international level, that's what will be required. is currently trying to be worked out. >> one little factoid for people about the economic espionage act it was added on an amendment to
9:55 am
a bill dealing with boys clubs in america at about midnight on the senate floor without objection it passed and there's virtually no debate. so when we talk about transparency, that act, i was there. i remember and it was a huge piece attached to a very small bill. i don't know any any of you elsewhere down there but it's very small. there is this, i remember the last panel a discussion about whether or not we attack the sink and a much more public way and you publish cyberpenetration, let people know where things are, and whether not that would be a positive thing to do as far as the government which will. >> menasha's security perspective general alexander have spoken about this. he in his testimony about six or so months ago, he did say, talk about the different programs, the partnership between the national security agencies and some companies who voluntarily take part in this prep them to share information.
9:56 am
he actually acknowledged in testimony that there was information that private companies had gained on threats that they were able to share with nsa, that he readily admitted he did not know about. so the value added of sharing is important but there are restrictions. the reality is never has it been the case nor i believe nor will it be that an intelligence agency opens up all of its information on specific threats and shares it with an unlimited number of companies. because you cannot just decide i'm going to share it with that one vendor and nobody else. our government has restrictions about that. so there are real concerns now, there are people currently looking at how you take the classified and move into a lower level of security sensitivity where you can can broaden access among people. it's not like you will require all these ceos to give clearances which would not happen. ceos don't want a paper to get get the level information. but enough that the prior panel
9:57 am
said, you can give me a general sense about the threat. i need a specific. if it's going to be helpful to me as a company and we're going to defend ourselves we need specific details. that's what has to be worked out. what the nsa and cia and others can get, how specific they can give out without compromising national security and enough that the security folks in the companies can actually do something with it. >> to bring this back to the innovation side of this for a minute, when i have talked to people in the past and look the kind of what russian organized crime was doing, for instance, or what was happening in china, i was told, whether it was correct or not, what i was told is that some of the most advanced cyber threats in the world imminent, for instance, in attention and escalation between taiwan and china. that they basically have to do all sorts of worms and mahler and disabling pieces of code
9:58 am
aimed at each other. and it's as glenn kessler deal with each other, and japan as well and china have been involved with this. i assume that somewhere there's a room full of ethical hackers working on behalf of u.s. government. part of me wonders to what degree, you've got to be so invested in this for so long because if you're not, it's like a human system that you end up getting viruses and whatnot really what you are developed for very different purposes, for instance, taiwan and china's problems for india and pakistan trying to disable each other, that eventually those threats to evolve elsewhere a skate. i'd love to be told where i am wrong, if i am wrong but also like to get a sense of where you think america's particular capacities and strengths and weaknesses are indeed with global environmental threats. >> i think we are very well positioned. why are we very well positioned? i think we have a lot of
9:59 am
capabilities of a technology standpoint as well as just the human capital associated with building out these defenses come and even the offenses. are there people out there who are doing the research and trying to define -- trying to find weaponizing, sure, absolutely. i think we're a little bit -- it's cliché, public private sector but i think with a lot of private sector organizations that don't have that capability, and they are looking to mature their own programs to find ways to protect themselves. it's just not readily available to them right now. we are facing a look at of a skill set deficiency just because i think naturally of our people have migrated away from technology, which is kind of an underpinning for these types of skill sets. we have a hard time trying to find people who have the right capabilities and the right skill
10:00 am
sets for us to be able to deliver a quality of service that we want to provide your customers. there is certainly an efficiency there. you talked about kind of in taiwan, china, the problem with security is there are billions of potential exploitation vectors that are out there. based on technology, based on everything. to be able to protect everyone is impossible. but i think at this point you've got to make the investment. >> we will break away from this live event for just a short moment and take you live to the floor of the u.s. senate. a pro forma session. we don't expect it to last long at all. as soon as the sin is in and back out we will come back to this live event. -- as soon as the senate is in and back out we'll come back to this live event.
10:01 am
10:02 am
10:03 am
10:04 am
10:05 am
10:06 am
10:07 am
10:08 am
10:09 am
10:10 am
the presiding officer: the senate will come to order and the clerk will read a communication to the senate. the clerk: washington, d.c., september 28, 2012. to the senate: under the provisions of rule 1 paragraph 3 of the standing rules of the senate i hereby appoint the honorable mark r. warner, a senator from the commonwealth of
10:11 am
virginia, to perform the duties of the chair signed daniel k. inouye, president of the senate. the presiding officer: under the previous order the senate the previous order the senate >> back live now to the cybersecurity summit. live coverage on c-span2. >> to protect ourselves. if i and understand the question correctly -- what mike is saying is if the government could take the lead could take steps, which he argued code to harden security, the distances itself from the ability to understand what other folks are doing is a sort of scale between really achieving security and then also being a will to spite to some degree on what your opponents are of up to.
10:12 am
>> i don't know where that balance is. it's a fine line and i am in no position to see what's right and wrong. when i look at people we advise and work with, there are things are known to us that are going on on the government side. it would be great to know. it's hard for me to make a judgment of where that line is. >> i don't think you can get rid of the need to do that balance. it's never going to be all nothing more zero some between security and being able to use the openness and vulnerability defensively or offensive flee. the difference though in terms of the same balance that had to be struck, that had to be dealt with prior to the cyber context was that much of the tools that you were using to take advantage of the vulnerabilities could be
10:13 am
hidden. you could do it and not as visible or in a way that you could keep from exploiting the vulnerability secret. and put cyber, it's very difficult to do so it's only gotten more challenging in terms of that balance between complete security, which is impossible. i don't think anyone really -- most people at least in the security field those that have been working complete security in this field is just an impossible state of nature. >> to me this sounds like a great story waiting for a trigger. fundamentally what you have is the moment with an economic loss or very severe national security loss that was essentially allowed to happen and that became publicly known. i suspect you will have a massive shift in that stance, and it sounds like you've seen this firsthand.
10:14 am
other questions. yes, right over here. >> my name is mike flem, second year law student. i was curious about definitions and whether cyber attacks or cybercrime is really influence with policy and legislation and how we react going forward. >> cyberattack and cybercrime sounds like a legal question, catherine. >> so, cyber crimes, the definition is a lot easier. we have definitions established in the domestic law. most nation states have domestic law maybe not covering as much as you want in terms of all the criminal activity. the european union has the convention where the crimes are delineated as to what individuals can be held responsible for and therefore the states in the treaty are to be working in the joint investigations and through
10:15 am
mutual legal agreements. the other terms, what is the use of force in the cyber context what is an armed attack in the cyber context. these are in the long established international terms codified in treaties and customary international law. the united states has come out and officially said that we will abide by those international will use that regulate the use of force and arms hostilities and cider. right now the u.s. -- in weekly meetings all over the place with government and international people the u.s. is working on the more difficult task. what did you state that's an important thing and tells the world where you stand with respect to those families. now the job is specifically applying them using those words use of force and armed attack in the context. so i think was last week or the week before we heard the adviser
10:16 am
at state speaking of the cyber command. there were i think the defense had an article in the senate and you can get the full speech. he spoke specifically about the use of force and armed attack. what is that as dictated in the u.s. charter, how does that apply in cyber? i wouldn't say everyone would agree necessarily with what he said in that particular international lawyers, but he was consistent in some of the past u.s. approach and outside of cyber on interpreting what would be a use of force reverses an armed attack so more difficult and less international consensus. the russians were working hard on coming up with an agreement and what would be an armed attack in cyber. what would they constitute? the chinese we are about the furthest away from any agreement with the chinese. they have effectively come out
10:17 am
and said in a number of different ways and then using the diplomatic discussions that they do not see the laws of farm conflict as applicable in cyber. this is a huge issue, won the u.s. is now spending a lot of time trying to teach your not what this means and as far as the u.s. getting agreements on the rules of the road in cyberspace among the nation states when it comes to the use of force and military activity. >> the same question, and perhaps i missed read some of your comments in the past articles, but you also i think differentiated between this labor exploitation and destructive cyberattack. i seem to get the sense that cyber exploitation, which could fall under the moniker of attack that that is a fuzzy legal area. is that correct? exploitation is not destructive. >> if you think of it as a cascading pillar, in the international law you would have certain principles at the
10:18 am
bottom, which would the norms of behavior. so the norms of the intervention and sovereignty. that is something that is protected and states have the right to be free from the internal interference. violations though don't constitute the right to take lethal force in self-defense if you are the target of this violation. then you escalate up in the use of force, so espionage. as the knowledge with this cyber or political espionage violates a state sovereignty. you may remember 1960 to may 1st, 1960. gary bauer is shot down over the soviet union and the surveillance spy plane. it went to the security council and there was a debate and argument and the argued this was an active aggression that's another word for use of force. the u.s. argued self-defense and the concept known as clean
10:19 am
hands. they do it, we can do it. the security council didn't rule it an active aggression. effectively international law says spying is not illegal. so it is clear there is no international law that prohibits espionage. the hague conventions as if you're in conflict and get caught you can't be killed if you are a spy. you can be criminally prosecuted. international law says every state's domestic system criminalizes and therefore you could be prosecuted. use of force though is about espionage. an armed attack is above that. and so you can go and see what he said. he completes the use of force and armed attack as one threshold. in the cyber that is a little disconcerting to read the international lawyers will not agree with you on that, but it's been a consistent u.s. position in the past. there's a distinction made between the use of force which does not allow you to use armed force and response verses the
10:20 am
attack which does allow you to use the illegal armed force in self-defense. >> the would be really good article for the executive to make that point. other questions. yes, right there. >> formerly with the des cyber. regarding the point about benchmarks, when we look at the lessons that we were supposed to have learned from january, 2010, the attacks against google and they are reaching out to the government. so, when you look from then to now coming in to look at just how effectively has the government with the private sector tried to address the problem of the systematic online theft of intellectual property that rises to national security significance? my question is the u.s. government not serious about doing something about this problem or are they incompetent? >> can i just ask q. do you
10:21 am
think there's been very little progress -- im benchmarking this because i don't know what has happened since that incident. >> there is almost no evidence i can find in the public domain that this government and this public-private partnership have identified the strategic cyber priorities and have identified the goals, objectives and milestones. the best i've ever seen in the past was the comprehensive national cybersecurity initiative where that did exist for a number of initiatives. i see no evidence of that now. >> i think publicly there has not been as much evidence of it. are there initiatives underway to drive this problem? absolutely we have been trying to address this problem for a long time. it sounds like what the mall. because something happens doesn't mean you want to try to whack that mole again. they are probably changing the tactic. you have to look at it from the commonalities to protect
10:22 am
government, private sector and understand what is the best without crossing the line of how much the government influences the private sector and what they should do from a regulatory perspective. i think that is a fine line because a lot of times they say we don't want to deal with the requirements because that is a huge overhead and my ability to execute the business. so, there is a lot of delicacies in order to establish the executive order or the cyber bill. they are working on it is just not easy problem is all because there are so many ripple affect and impact on the private industry as well as the government, and there's -- you've got to make informed investment decisions. any corporation has a responsibility to their shareholders. if they are going to invest in securities it's got to be in a way that is a tangible value the company. whether it is protection of privacy information. it's not as easy as saying yes, here are the priorities and then go off and do it.
10:23 am
>> i think that is a difficult one. i recently -- when the legislation didn't pass and the executive order was being discussed and coming out on cyber, i had the opportunity to ask a couple of the folks from the financial sector involved in the individual banks and i said what is it -- what is your worst case scenario in your mind from the private sector what is the worst thing the government can do, and thinking about an executive order were in the prior proposed cybersecurity legislation coming you know, what would be really bad? and they looked at me and they said anything. and -- i said what do you mean anything? they said the government shouldn't do anything right now. we've already got -- they then went on and sat me down for about an hour and i got a tutorial on compliance and what it means and how they have to conform with it and who are the
10:24 am
regulators in their sector. so, over and over they said not one thing should be done right now by anyone in government, so this executive order, nothing. it's a difficult challenge. >> let's take the last question right here. >> i would like to ask -- >> i like that, just a private citizen. sure you are. >> i would like to ask the panel for their favorite metaphor of the historical parallel in the world we are facing today. 11a colin amanda barbarian world, a star track? what is your favorite fiction or nonfiction? >> leave it to somebody to come up with the really cool question. what is the metaphor that most describes the world we are in from a cybersecurity world that we are in? just testing your creativity,
10:25 am
and the cameras are rolling. [laughter] >> are you asking me to break into something. >> war games. >> it's funny, they have an older movie, "sneakers" but it's a classic movie, 20 years ago? it's the embodiment of what it is today. but 20 years ago. i think it has a little bit of the wild, wild west just because there is a lack of laws and regulations. it's hard to understand what cyber domain is and all of the permutations because it isn't physical anymore. there are some physical elements to it that aspect has created an exponential problem that can't -- when you have simple assets to cut was going to be easier. when you can't even understand what assets you have, it's harder to control what you don't
10:26 am
know what you have to we estimate it's a little bit more like the wild, wild west. i can't comment. >> so, from an academic point of view, i see that we are in a place that's really maybe the particularities of the threats and actors are different, but as a realist, if you think ken waltz, the classic realist, he would describe the world as an and optical system, self-help, states or the gannet reactors and the primary actors. i believe we are still in that same world. that hasn't changed. from a constructivist point of view, we are in the world and have been as well where the constructive would say you can still get agreement among the parties with roots through the states as the primary actors. the soviet union and the cold war, whether it is through the treaties and persuasions or the common understanding of what would be mutually beneficial for you to agree on and therefore
10:27 am
self restrict your behavior and not see the self-help so in the constructivist would say identities and norms are constructed through interaction among the states. i believe we are in a realist constructed arena, and we always have been. states have not gone away as some have opined in cyber to but i think the manifesto of those original creative envisioned the internet would be free of government control. i just came back from a conference speaking about the sovereignty and the role of the states. that hasn't changed. state dominated an article world but still speaks for agreement and compromise where we can minimize the disorder in cyber. >> i would just ask as an outsider to this that agreed to come in and did been to this dungeon of despair that reminds
10:28 am
me from my work of a national security area about a combination hybrid of the old escalation we used to think in the w. e. area, chemical, biological, nuclear, but rather than states, it is bill joy means that world and you may remember the co-founder of microsystems that wrote that wired magazine article called "the future doesn't need us," that said power individuals will be able to create mass casualty, mass effects on the public in various ways because of the massive expansion of the microprocessing capacity, and what's happening in the various resolutions have changed the dynamic and so i sort of think that we are in this dystopian moment that everything we used to do as nations has moved to a different level and that gets you to your "sneakers" metaphor. i haven't succeeded at this. i received a one last comment i would make is i don't know if
10:29 am
any of you have read -- if you want to get even more depressed, david ignatius had a novel. they were making it a leonardo dicaprio he plays in his movies now, but he wrote a book called quote code blood money." it should of been called blow back. it was a story where fundamentally someone got access to financial data and then began doing essentially what the government does it takes is a seat technologies and computing and who they are and find people and killed them so we follow the cyber terror and cyber concerns or 20 in the debate to available for those that can still the data techniques to either mine for good or for the commercial very nefarious reasons. on that very optimistic note i want to turn it over. think you very much.
10:30 am
nguyen and catherine. >> thanks, paul, catherine and steve. we are now going to close with our keynote speaker, andy greenburg, writer and focuses on technology information security and digital, civil liberties. he currently writes for forbes magazine and is the author of the book tim mentioned earlier called this machine kills, how the wikileakers activists and to free the world's information. please welcome andy. [applause] >> i'm sorry to inflect powerpoint on everybody. what i learned today is people have a security don't use powerpoint anymore and people that are really good at security don't use e-mail anymore. if you want to contact me have your people call my people. i'm technology reporter with for this and i've written a book
10:31 am
that tells secrets, that sounds much more dangerous, but the future has come up because run the the part where they say to mardy no more secrets. that is what my book is about. there's a shift that has come up a couple of times today, and i see it as a security reporter covering this industry the last two years the shift away from security through obscurity to read the talk is not just about my book which is about the kind of history of anonymous information leaks and the future of them this is also about a bigger idea of the crypto anarchy and failure of the national security through a security. in 2005, this is the old model, in 2005 there is a researcher to present a formidable the and one of the robbers had the black have security conference. cisco freaked out at the last minute and threatened to sue him and the conference and to the
10:32 am
degree the black hats organizers went through a free pamphlet at the conference and tore out the information that they were going to present. and this is a leak still from the video that was taken at that. mike, the researcher, was so angry about this that he gave a talk any way and the result is only the hacker's present to the conference learned about the security vulnerability in the cisco routers which i don't think is the had in mind with the attempted censorship. flash forward to today and companies now, or smart companies especially, don't only accept information about security vulnerabilities, but they pay for it. this is the price google will pay for information about the vulnerability said its technology and the conversation is google would give up the $60,000 for a single working exploited its browser so that is the kind of contrast i want everybody to have in mind. that is the shift away from
10:33 am
security that we see in the smartest parts of the private sector. so there is no good segue here. this video which is told collateral murder appeared in 2010, and i found a shocking not just in its content, it shows the have podgy helicopter firing on civilians and journalists in baghdad but it had a leak from the most classified part of a military. i knew that wikileaks was run by the former julian assange. they set up a cryptograph box and this was dropped into their laps. tester the following wikileaks and we saw the afghan war diaries suddenly had a secret documents about the afghan war. again, dumped into wikileaks
10:34 am
lap. i started to think about what wikileaks really represented which is where a world anyone can anonymously descend out of the institution or the government agency corporation they work for and this is a story that matters in the business world, so i sort of dream about putting julian assange on the cover for this which was totally nuts at the time. i need context with this i slander who worked for wikileaks. his name was penguin x, that was his panhandle and we started chatting over this message system. i spent a little while their meeting with the lesser known figures and sort of waiting for julian assange to tell me where he was because he had kind of gone underground at this point. he wouldn't tell me what country he was in. it turned out he was in london. i got the whole afternoon to just hang out with julian assange come hear his thoughts and his life story, his ideology and his plans.
10:35 am
he told me wikileaks is about to release its biggest ever which turned out to be cable gates, of quarter million of the department memos from embassies all run of the world would become the biggest classified data breaches in the public's sphere of all time. so at this point forbes magazine was done with the story they had their cover story, but i was not. and i wanted to figure out these bigger questions how did wikileaks do what it did? maza all about this one guy, julian assange gum or the technology? if it was the technology who's to say this isn't going to happen again and these are available tools where is the next wikileaks going to come from. the press at the time was treating it as a series of unfortunate events to steal a line from ackley turkey. how is he doing this? one bad thing after another. we should do something about
10:36 am
this. but i wanted to trace the ideas back to their roots and i found them in the cipher punks, this group of guys in their early to the mid 90's paltrow libertarians who saw the of devotee to use encryption and secrecy to take power away from the government and give it to individuals. this began with a guy named bill zimmerman kukri to this offer insure everybody heard of what was the first freely available encryption tools that wasn't correct even by the government, and this did scare the government. as we heard about earlier zimmerman wasn't investigated exploring as it were a mission or a bomb or missile and i think really this was the first example of the streisand affect. i don't know if you heard of this but barbara streisand in 2003 found a photograph of her malibu beach house online, never mind the fact was actually just one photograph and a collection
10:37 am
of hundreds or even thousands taken by this environmentalist was photographing the entire california coastline. she saw the photo and send him a cease-and-desist and the result was we all now seen this photograph, which she identified for us. nobody knew which of the photographs contained her house until she sent a note from her lawyer and this image came from a site called know your meme picked up by the associated press all over the world and barbra streisand got her name put on this. what happens when you try to censer something it causes a backlash that makes it proliferate everywhere. i think something similar happens with pgp and the attempt to suppress it. they suddenly had confirmation that the government really is a friend of encryption. this is a powerful tool they can use against it. one guy named tim mayes was a
10:38 am
former intel who made money and decided to retire and spend the rest of his life thinking about how to destroy society as you know it. and he saw you could read the information not just in a single layer of encryption but multiple layers, taking this idea from a cryptographer. there are multiple layers of encryption, and this multilayer the ball of the delegates passed down through different servers each of which takes off one of my year but bouncing around through all of these noded and each one can see a different layers of encryption you keep them from identifying the data, so it becomes untraceable. and tim saw the potential of this to enable the beak of the national security from anonymous sources to make it possible untraceable teams that couldn't
10:39 am
be taxed or to hide the forbidden data and places it couldn't be found but it could be accessed like the results of the horrible nazi medical experiments. this is the kind of thing that got him excited. so he wrote this of the crypto manifesto that said they would try to halt this for the technology citing national security concerns. but anonymous computer is market will make it possible for assassinations and extortion and various criminal and foreign elements of the active users of cryptonet this will not halt the spread of crypto anarchy. he went on to create a prototype for wikileaks which he called black net, and it is exactly what wikileaks would become a which is kind of a -- it is sort of a for-profit version that he opened up the system and invited people to send national security secrets and corporate ip using
10:40 am
the tools. so this is a 1993. before anybody ever heard of julian assange. succumb this evolves and this is just kind of a proof of content but a guy named john yondah picked up this idea and created a web site that has successfully leaked a lot of important secrets in putting intelligence names and sources' names and internal documents from companies and you've seen this long before julian assange even dropped out of college. the difference that i think allows wikileaks to come out from the underground to become this was that the limited tools continue to develop and eventually reach the state of art. a piece of software the was developed by a lot of the agencies in this room was first by the naval research laboratory and then funded by the state department, and tor basically worked like the mixed network
10:41 am
that he was so excited about but the function web speed allowed you to host a website in a way where the location couldn't be identified. i believe tor was the service that wikileaks ran on. it was a tor service and the accused source of all of wikileaks biggest releases also says he used tor commesso it was easily the liver that was used to pry open the world secrets. and wikileaks is the first piece of the crypto and anarchy the was the piece that he imagined. now that we see that the deciphered punks have this power it's worth going back to other things they were thinkill be in the pipeline. so, i was fascinated by this other character named jim bell
10:42 am
whose even more radical than tim if that's possible. he proposed a system he picked of this idea of untraceable payments and he wanted to create a payment program called assassination politics or anybody can make a nation into a digital debt a pool and the money is used to fund the assassinations of political figures. so a million people over in $5 to kill the president through some -- i'm not advocating this if any secret service agents are in the room -- but immediately there is an untraceable collection of $5 million on the president's head. and jim bell believed he could use this system to destroy the government as we know it. he wrote that with perfect anonymity and secrecy and perfect security, combines the risky proposition to even hold a level of office of the commissioner.
10:43 am
so, i exchanged letters with jim bell while he was in prison recently for tax evasion and stalking a federal agent. he got out in march actually and he told me when he was in solitary confinement, he came up with a burly and patent idea for a telecommunications idea where he is an intimate $100 billion, literally. that's what he said. it would be easy for him, the next bill gates to fund the system and bring it to reality, which is kind of a chilling thought. but in fact, as crazy as this might sound or schizophrenic or whatever, the tools for the assassination politics accessed much more of and they did in 1996, the creek to currency called bit coin which is a digital anonymous cash. bit coin doesn't involve banks. instead of each transaction being verified by an institution it's verified by every user together and the users
10:44 am
cryptography to prevent forgery. so you can spend it under a pseudonym and it can be used untraceable if used properly and the results combined with tor services has been a real flowering of exactly what jim bell was prescribing to read all kinds of illicit services and putting contract killers. i've done a lot of stretching around on this kind of anonymous underbelly of the internet that is made possible by tor, and i found a site called c'thulhu that says they are former members of the french region that are performing hits over the world in exchange for bit coin. you can only access it by running tor and buying these assassinations with bit coins. there are other ones of these i called quick hill, contract color and assassination market coming after jim bell's idea of
10:45 am
assassination politics. it's impossible to know if these are real or just scams. they've all required down payments so i don't know what that implies. i have e-mail all of them and surprisingly they didn't want to do an interview unfortunately. but one thing that is very real in this world is a site called silk rose that is also a tor service that it only accept bit coins and you can easily go there right now with the right tools and buy heroin or ecstasy or acid to read this is a flourishing site. one researcher i've spoken to has been scraping the contant off of it daily and he extrapolated by looking at what is out there and how quickly the merchandise goes away that they are making $22 million a year in revenue, which is a pretty tight little crypto and arctic business that they are running. so, when silk road first
10:46 am
appeared and the congressman said to the cassette this is a threat to our children and a scary countermeasure and the war on drugs, tim was excited and wrote me in e-mail and said these are exciting times, the black market trifecta with everything that he has imagined in this crypto anarchist recipe back in 1982 now exists. so in fact there is a kind of side project known as the armory offered to sell guns instead of drugs and shut down possibly because there wasn't enough demand to a shift in ak-47 through the mail on forcibly and to see the ways to crypto anarchy is eroding the regulations on a firearms. i talked to this one group called the defense distributed who hopes to make it possible to download a gun 3-d printed in
10:47 am
your own home. they are consumer tools that you can use to create plastic objects from models and there's already been a proof of concept of this one. one user down loaded and three be printed the 14. basically a machine gun it's a lower receiverthe only part that is regulated so the rest he assembled from off-the-shelf parts and he said the three d printed part showed no where. they want to go further and make it possible for anyone to download and print an entire weapon that is basically digitally distributed. the heavy fund-raising campaign and they were banned because they violated the terms of service and this only created a
10:48 am
street kid effect. they raised the $20,000 they hoped to raise through bit coins and anonymous donations and are holding a design competition for a three the principal gun that can be downloaded anywhere in the world. i talked with the founder of the university of texas law student named cody willson and he said this to me. call me crazy but i see a world where contraband will pass underground through the data cables to be printed in our homes as the drones moved overhead. i see a kind of poetry there, the dream of this very weird future and i'd like to be part of it. that sounds like a modern-day tim mayes that like encryption will someday soon come to fruition and become easily usable and will work the same way that bit coins have enabled the crypto anarchy. as a group of policy makers,
10:49 am
what do we do about this? i'm not a policymaker i am a humble reporter. what do you do? do you bam silk road? they would love to if they could find it but they can't. it's been demonstrated of least so far bit coins and tor have served their appropriate function which is hiding its geographic location. do you van bit coins, the crypto currency? i don't think it's possible bit coins is widely distributed on millions of people's machines. the idea is there is no central point, no institution you can go after and trying to ban bit coins would be wonderful for a variety that owns bit coins they would skyrocket in value as soon as the government demonstrated how scared they were. even tor? first was invented by the government and serbs lots of
10:50 am
important purposes. it's used all around the world in countries like syria and iran and china and by political dissidents and people in this room but i don't think it's possible to ban tor. it's in the hands of millions of people, so i guess to give my prescription at the beginning of the solution i will tell one more story which is what we all know about napster to bmp free is becoming a usable format that allows anybody to exchange them three kind of central directory, and suddenly all music became free and this was an enormous threat to the label. they launched a multi-billion dollar lawsuit against napster, just decimated it and went back to the business as usual but of course another cyberpunk was
10:51 am
ready to come along named bill grant who mentioned bit torrents and it has no central point of failure like maxtor so it assembles files from thousands of computers at once. the result is bit torrents couldn't be shut down and treated 50 million people use it today and it caused the record industry's to be cut in half or it is a big part of that problem. and i think the record labels have to give up on the idea of stopping people from pirating music. instead, we see the evolution to a different model. companies like spotify. it doesn't create scarcity, it does sell music but by assuming all music needs to be free and is already free so it is going to chart $10 a month and will give you the convenience of just avoiding the download, you can
10:52 am
stream at and use it on your mobile device. but spotify understands music is ubiquitous. all information is going to spread, and we have to just work in a world. so i did that is the lesson here is the era of security through scarcity of information is over. if there's some piece of information that scarce you for that to hold sacred, you can't pretend it's not going to proliferate. you have to imagine the world spends a hundred or a thousand times more widely than it has and make your policy for that world. if we look at wikileaks, the central player in the book how does this apply? what can the government do? peace tools still exist and there will be another wikileaks
10:53 am
to read to you try to ban the tools? all you can do is cause the streisand affect or just simply fail. do you try to stop the leaks? to some degree it would be kind of a cat and mouse game and there will be a mouse who succeeds in being the next breath the manning -- bradley manning. the government can't be entirely a bit. the have to have secrets to some degree. i want to point to another organization called a global weeks come this group of hackers and italy who have created a leaking tool that is basically as bit torrent is to napster is to wikileaks. it's not a central institution. it's a piece of software protocol and uses tor and enables anybody to run an anonymous site, and global leaks would be happy to work with any
10:54 am
organization that wants to set up a whistleblowing plot from including internal whistle-blower platforms. imagine if the u.s. military or the state department predicted its own internal wikileaks using the global leaks software if there were a future bradley manning who wanted to risk spending decades of his life in prison and then instead to simply hand this information over anonymously to this internal safety valve that can detect the information towards reform. i'm trying to outline this contrast between on the left side of the picture 2005, no offense to cisco today. but in 2005 they tried to enter the information that scares them, the security vulnerabilities. barbra streisand caused a blowup of information that she was afraid of in the process of
10:55 am
censoring it or any organization that tries to stick its head in the sand or put their head in the sand which is the most people ever because the internet is the multi headed hydra and there will always be another sticking out. on the right side of the picture, google model the increases that pays for information about its security vulnerabilities, or spotify that swims in the ocean of free music with $900 million in revenue this year or the global leaks which can potentially turn them into a tool of reform rather than they imagine the disclosure i think the lesson of the crypto anarchists and wikileaks is the institutions organizations have this choice to swing with the flow or against it and struggle and in some cases to drown.
10:56 am
the lesson is their land through the secret ones and the scary ones which were without our permission and that is the world we have to live. i'm happy to take questions. >> [inaudible] >> i will be around to talk later. [applause] >> thank you all very much for coming and thank to in the end of the other speakers and panelists. we appreciate you joining us. have a good afternoon.
10:57 am
[inaudible conversations] [inaudible conversations]
10:58 am
we've been talking a lot about the presidential campaign this morning but there are a couple of senate debate today c-span will be carrying live that you have been covering. what's happening in wisconsin? >> wisconsin has become one of the interesting senate races in the country. you have a state that has been publicly ruling for over two years and the presidential race for a while it seems competitive. president obama seems to pull ahead by about five points in the latest poll and some of that has helped me of a change in the trajectory of the race. earlier this month governor tommy thompson the republicans seemed to have the momentum and at this point his republican democratic rival representative tammy baldwin seems to be in the
10:59 am
margin of error or a little ahead. >> why is that? >> it seems my best guess is the surge if you want to call it that corresponds with president obama getting some distance from governor mitt romney. back in august it really seems to to read and is still is. governor thompson was preceded as the best republican nominee. he had a very repel competitive primary. we have representative paul ryan nominated for the vp. so it seems like suddenly wisconsin is back in the republican column. >> abby lingstron is tonight the only series? >> i don't know that of the top of my head but it's meant to be an interesting evening because governor thompson is a state wide brand. he's known not as governor thompson, but tommy and he is going to be speaking to the legal government representative baldwin as a liberal. that is what has made him too liberal for nancy pelosi coming
11:00 am
and she is one of several members of congress who is from a single district trying to run statewide but she is going to try to define herself in a positive we come in and he is going to define her negatively. >> that debate will be live from wisconsin. we will broadcast it live at c-span 9 p.m. central time. tommy thompson and tammy baldwin in their debate and there is another that we will be carrying live and that will be noon eastern time. nebraska, give an update to their if you would. ..
11:01 am
most recent polls show this is falling out of democrats. >> when you talk about the polls, what's the margin right now? >> i believe it was about 15 points. a local newspaper poll. >> is there a reason? bob kerrey, like you said about tommy thompson, is a nebraska brand. >> he is a nebraska brand but he has lived in new york city for about 11 years. republicans, even before he gotten in were naming him big apple bob. yes family, has a son, a wife there. i think it moved to nebraska
11:02 am
since the fed done everything they can to paint him as a new york liberal. nebraska has just shifted conservative. it should become a more red state. >> once again you can see that debate from omaha live at noon eastern on our companion network c-span. right after that remarks from the president of yemen on the future of this country invite of security problems and the hunger crisis. he will speak at of the woodrow wilson center in washington and you can see those comments live at 1 p.m. eastern. coming up tonight, more campaign 2012 coverage with a life wisconsin senate debate. congresswoman tammy baldwin debates former health secretary tommy thompson who is republican. that seat is open due to the retirement of democratic senator herb kohl. you can see it live at 9 p.m. eastern on c-span. you can also listen on c-span radio or watch online at
11:03 am
>> the reason why i like that is simply because c-span is unbiased. they just tell you the news straight it. that's arguably the best argument you can make. i'm a firm believer that video archives are a gift to the american people. g is one of the mostggggg historical, one of the most historical archives that are. i primarily watch the "washington journal," the house of representatives proceedings and c-span2 for the u.s. senate. >> jake young watches c-span on wow. c-span, created by an american cable companies in 1979 brought to you as a public service by your television for -- provider. >> my opponent, and his running mate, are big believers and top down economics. they basically think if we just been another $5 trillion on tax cuts, that favor the very
11:04 am
wealthiest that -- [booing] >> don't boo. vote. vote. >> he has one new idea. one thing he did not do in his first four years, he said he will do in the next four years which is to raise taxes. is there anybody who thinks that raising taxes will help grow the economy? >> no. >> his plan is to continue what he is done before. the status quo has not worked. we cannot afford four more years of barack obama. we're not going to have four more years of barack obama. >> wednesday, president obama and mitt romney meet in the first presidential debate. the news our jim lehrer moderates. watch and engage with c-span including our live to be preachy at 7 p.m. eastern. the debate at night and post debate, your reaction, calls e-mails and tweets. fall live coverage on c-span, c-span radio and online at
11:05 am spent up next, white house officials in charge of cybersecurity speak about the growing concern over counterfeit computer parts and software. they spoke at the potomac institute on computer network threats posed by a foldable supply chain. this is about two hours. >> ladies and gentlemen, if i could have your attention, please. minus michael swetnam and on michael swetnam and ceo of the potomac institute for policy studies, and it's my distinct honor and courage to welcome you here today for a seminar on supply chain threat of cyber issue that we have been discussing in and around washington for quite some time. the potomac institute, for those of you have not been here before, is a science and technology not for profit policy
11:06 am
think tank, if you will in the washington, d.c. area that focuses on how science and technology affects our national security. for quite some time we've been involved in the study of issues in and around what people call asymmetric threats. and most importantly, terrorism. this past year the professor and i released our second volume on al qaeda about 11 years after our first volume on al qaeda right before 9/11. i'd like to call your attention to. there are copies available, and, of course, available on the web on amazon and all those good things. and i wanted to highlight it today because it's one of the gifts we are going to get to our panel members for taking the time out of their busy schedule to come join us today. at the very least, i can promise you a good sleep if you read it. [laughter] the second work that the potomac institute has been involved in over this past year is an effort
11:07 am
with the mattel corporation to look up the cyber issue in particular cyber doctrine. that volume edited by tim semple and i is in publication as we speak but you have on your seat on the table, all of you, a short flyer that summarizes what's in that long. it will be out shortly and we will of course make sure that copies are available to each one of you as they come out of the press. i'd like to note the honorable randy, sitting in the front row is one of the authors, chapter authors in this volume and has contributed not just to the cyber discussion this year but, of course, for more than a decade. since the issue is of some note. potomac institute as i've mentioned before is involved in the discussion of science and technology as it affects our national security. it's been our goal for the 18 years of our existence to help you place where the discussion can be held in a forum that
11:08 am
encourages the development of policy based upon good academic scholarship and input. your participation today, not just in listening to the speakers but interacting with them, taking away what they said, publishing and being involved and contribute yourself to the issue we think is a prime importance. it's a with the interaction of all this combined that we can ever hope to address issues as thorny as that of cyber issued in and around washington, d.c. a quick note before turn this over to our moderator today. i'm an electrical engineer, at least i was some 30 years ago, when i got a degree. it's probably not worth anything today, but issued an electrical engineer was osha discussion between the hardware guys and the software guys. who's really at fault for the fact that this is breaking or not working. and, of course, the hardware guys always blame the software guys, and the software guys always complained that they were having to do things to work
11:09 am
around for hardware design. today, we have, i guess we're in our fifth, sixth or seventh year of a formal federal program to address the cyber issue. we are probably in our second going on third decade, recognizing that we have a cyber issue. from my perspective i will tell you we're doing a pretty fair job of addressing the potential threats from the software side of the coin, only to discover that yes, there are hardware issues as well. without addressing both sides of the equation, and they are very different. software is trying, comes and goes and will meet responses on the order of milliseconds. hardware stays around for a while. it's very expensive to address and issues in and around bad things in her hardware are far different than issues in around software. only a complementary approach i would contend will help us resolve the issue of cyber threats. with that, let me turn the
11:10 am
podium and this forum over to retired rear admiral jamie barnett it will lead us through what i hope will be a very lively presentation and discussion of issues surrounding cyber. i think you all very much for coming and i want to can encourage you to be involved, continuously, in this issue. your input is very important. thank you very much. [applause] >> thanks, mike. i'm jamie barnett, as mike said. i'm senior vice president the potomac institute for policy studies. so welcome and thanks for taking time out of your busy schedules to be here, and also our guests that are viewing this on c-span and on the web. we really appreciate your presence in part of this discussion. this is an august audience here and now you're also here to hear this amazing panel of speakers which will get to very quickly. i had the opportunity to address
11:11 am
the supply chain problem and particularly the communications supply chain while i was chief of the public safety homeland security bureau. i got with some of the folks in the audience writer on that and i appreciate your presence here. when i got here, stored talking to michael swetnam and relies the potomac institute has traditionally been involved in supply chain and other supply chain that is, the symposium seemed very appropriate and timely. timely. one of the major missions as he mentioned of the potomac institute is to elevate the policy discussion on matters of critical importance to the nation. so i'm not going to speak today. rfid will only be to fill in for bobby simply, who unfortunately had to cancel at the last minute. i did have a short article that you will see on front table there, but also on a website but the supply chain threat is as much a matter of national security as is cybersecurity. part and parcel. and in some ways it is difficult if not more difficult.
11:12 am
and while works ongoing in washington to address this, the nation needs a full some discussion of how to approach this matter. what the real concerns are even before we get to what the answers are. it must be recognized as a threat. it must be recognized that the status quo is not acceptable. the status quo is not impossible but it's not going to remain the same one way or the other. we must recognize the government interest and supply chain matters for private companies is a concern, especially for private congress. what is the proper role for government? what are the incentives that can be provided to industry? the most important question, what would be effective? you have our agenda. we'll have our keynote speaker, and i will then introduce each one of the panelists, and we will hold questions until after all have spoken but then i do encourage you to ask questions but i'll have a few questions for the first and then we'll open it up to the audience. i would ask you to use the
11:13 am
microphone. if you don't use the microphone that might be harder for our guests on the web and on c-span2 hear you. i am very pleased that this symposium is being cohosted by our partners, national security partners, which provides outstanding service to the nation and our intelligence community. and with us today is the president of national security partners to introduce our keynote speaker. brigadier general retired make false is the president of -- as program manager and lead consultant to national security agency, he's provided a host of services. he was previously let the contract support for the directed at planning and performance by providing corporate vision, strategic planning, performance metrics assistance for central partners,
11:14 am
and with the nation's 17 member intelligence and community. while in active duty in the united states air force, general mcfalls served in many key as imus in the director of operations for the air treatment, deputy trip to of the air force legislative liaison and command of the air force largest in 15 you know, the fourth tactical fighter wing. he has a bachelor of science in aeronautical engineer from united states air force academy. i think i've heard of them somewhere. are today out west? and a masters of science in aerospace engineering from the university of michigan. would you welcome general jay old with false? -- general mcfalls? up at the expense i did not that part was happy because i have the easy part here. it's really an honor and privilege to introduce our keynote speaker today, and for our company that cheney was just talking the, the national security partners, to be affiliated and cosponsor with this very prestigious and influential organization, the
11:15 am
potomac institute for policy studies. as our tagline states you behind, we are difference makers. national security partners have been supporting many of the organizations that represent in the room as a look around the audience year for separatist. but today i'm jamie says say something nice about dennis bartko whom i've known and our team has support for five years or so. so let me go without. as the nsa directors special assistant for cyber, he leads the nsa cyber task force. when general alexander selected dennis come he opposite new the same thing that i'm about to tell you because the dentist started this organization way back in early 2007, and he still is the leader. as you probably saw from when you signed up on the web to attend today's symposium, dennis is perfect for this job. he's a technical expert. he's an electrical engineer and decrypt analysis expert. in fact, he's a proud
11:16 am
card-carrying member of what we affectionately and respectfully referred to as the crypto math mafia. bat and combined with this diverse experience serving on capitol hill within congressman robert ehrlich's legislative staff, followed by star with the private sector at the atlantic verizon communication, this makes them a very well-rounded and diversified for this job. but even before that those that really know him will remember his musical inclinations playing drums for his high school rock 'n roll band, the royal flush. and we get to some of the questions you can ask what really that means. he actually had much longer than any has no. he's a martial arts black belt and devoted model railroading disease and just an overall fascinating guy. but as you can see, i've been on the circuit a long time, and dennis has got to be in the top
11:17 am
three to five of the inspirational leaders with whom i've worked over my several careers. he's the epitome of all that great business leadership books that you may have read, and he's truly a level five leader that is described in jim collins good to great book. and that's because it's not that he doesn't have an ego, but his ambition is first and foremost for his institution, is agency, and not in so. and he inspires all of his team to reflect that philosophy. over the years he's gained respects within all portions of the federal government that deal with cybersecurity, and is routinely sought after for his valued opinion on all things cyber. and that's what the potomac institute asked him to kick off this event. a humble inspirational leader with the highest of integrity, technical expertise to understand the most complicated cybersecurity subjects,
11:18 am
politically savvy to make his team sensitive to all the very perspectives, and the ambition to directly support his agency, and the ravens and philadelphia flyers fan. it doesn't get any better than this. ladies and gentlemen, george dennis bartko. [applause] >> thank you for that kind and very generous introduction. and also, thank you, potomac institute, for the invitation to be here as part of this great panel and all of the folks that are here. as a director of nsa, general alexander can also command of the cyber command says it takes a team to address the challenges and issues that our nation has in cybersecurity. no one individual department or agency or the government itself can address those challenges. it takes a keen that includes the private sector, the
11:19 am
government, our industry, our allies and our citizens that all come together to address those challenges. so i think it's really appropriate that we are all together here today to have a dialogue on a really important issue, which is the supply chain challenge and information and communications sector, and this threat is an important and complex issue for which there is no real simple solution. and it's going to take a team effort to address. now, as i had the invitation to come today, i started thinking what is it that i could actually contribute to a discussion with individuals across those sectors either from being on the panel or from being in the audience here that would be a value to help frame this discussion? and as i thought, inspirational really came over dinner with my wife, but we will get back to that in a little bit.
11:20 am
because nsa is appropriately not an organization that either sets or makes policy. we execute our mission of signals intelligence and information assurance in a space which has become what we now call cyberspace. and it's from that experience, and especially from the experience we learned through our information assurance mission that i hope to share and contribute some to this discussion is being held here today. specifically, what is this space? why is it important? are there a set of key attributes that we should consider as we're discussing solutions in the space? and if there are, what are the responses that we as a nation may want to consider in
11:21 am
accordance with them. and who might be required to do it? so with your permission i'm going to take that approach was just a couple of minutes, even though it might be very high level, it might be something that everyone of you know, but often to start a discussion it's important to start from this invasion. our deputy director at nsa often says the answer of what is cyberspace gives this answer. cyberspace is where our nation stores its treasure and its welfare our treasure being the intellectual property of our nation created by all of us across all those different areas that we've talked about in her private sector, our industry, academia and beyond. and our wealth not being so much the money that we print or the coins that we meant, but the
11:22 am
bits in databases that actually represent them. and the space that we call cyberspace actually has been good for everything we care about as core values in our nation, our national security, our economic competitors, our public safety and even civil liberties. but at the same time we wouldn't be here having this discussion if for all the good the space has enabled and done their words also challenges or threats. and those threats, a member of different directions, the number of different ways if they come from some actors. some actors who are in that space who don't share the same values or approaches that we do in this space. it comes from various techniques and tools that could be used, some of which have become increasingly popular in our lexicon as a nation.
11:23 am
but it also comes from a series of vectors. a vector being things that range from insider threats, threats that can be done over remote access through networks, and threats to our supply chain which brings us here together today. and as we contemplate and think about the supply chain threats and the challenges in that domain, i would like to share three attributes that we add an essay believe that we have identified as part of our time and experience in this domain. there may be more, but these three are something that we use when we think about challenges that we face in order to determine if solutions probably are good solutions to the problems that we might have. the first attribute is convergence. so when you look at this space, if perhaps there's any single
11:24 am
attribute which is most important, it's the fact that convergence. different things that were separate coming together to make one. in fact cyberspace was created from separate elements that were converging over time, increasingly, that became this thing called the internet in the wider cybernet. there might've been at least three levels of convergence that have taken place. a convergence in the connections in this space which were once separate, depending on the media from which you might've been committee can, with the making a focal are watching a video on tv, or maybe tried to send some e-mail or text message that has converged, which led to another level of convergence in the devices that we use. when we used to have two separate devices to get access to the various types of communication link, now those devices are able to collapse and converged so that now many of us
11:25 am
carry around smart phones, tablets, devices. they are essential to all devices that can handle all of those communication means in different form factors or shapes. that's leading to another powerful convergence on how we can all gather. and have discussion, not bound by geography which brings together much opportunity for a wide-ranging international and across our nation discussion, in collaboration on activity. so we see convergence as an important and continued aspect in the space, and if it is, in fact, one of the attributes of this space, then we believe that perhaps the appropriate response of convergence is integration, that all of us are working in this space need to actually integrate our efforts to the greatest extent possible to bring together everything that our nation can to address these challenges.
11:26 am
the second attribute is pretty simple. it's continual change. we know in this space that cyberspace is not going to be the same tomorrow as it is today. its continually changing and evolving. and if, in fact, that's true, then our free spots, whatever it might be, needs to be highly agile. and, in fact, it may cause us to think, in our spots is need to consider the use of change itself as an appropriate response, to the challenge of the continual change in this space. the third is very important. it's that there's huge amounts of information in this space. and if there's huge amounts of information in this space, all different types and all different types of media, it may seem most appropriate that our response should consider how we share information amongst and between ourselves in order to address the challenges of this
11:27 am
space. information sharing, therefore, we believe is an appropriate response to the great amount of information that are in that space. so if the space has these attributes with these required responses, there may be more. but these are ones that we think might be helpful as we have a discussion on threats in the space and responses to them. including the supply chain threats that we are discussing today. and that brings them back to something i said briefly as part of my opening. i said that inspiration came for this talk in part over dinner with my wife. and while we were eating dinner, thinking what could it be that perhaps could bring to this forum, the answered in somewhat was a thought that was sitting in front of me. you know, that analogies are never perfect and one analogy
11:28 am
never works in every other situation that you're trying to apply it to. but when you're faced with a complex challenge that is important to the supply chain threat, that is complex, it's going to take a collective community effort to dress. and looking at how other problems that might be somewhat similar were handled might also be instructed. so i was looking down at dinner, what was in front of me was food. and when you sit back and think, food, with something that each of us know that we use. it's a essential. that each of us, in a way that is safe for us to consume for what we need. and, in fact, there's a lot of great work that is done to try to work and ensure that food safety. and, in fact, the food itself is becoming more internationally available and internationally distributed. so when you look at cyberspace, i'm not saying in any particular way that cyberspace has become
11:29 am
as important to us as food, but to anyone who you are, depending on what you do, it's feeling very much increasingly important, and just like food, we are having an increasingly globally supplied cyberspace in the infrastructure that we depend upon. and similarly for all of those who use cyberspace, it's somewhat challenging and somewhat to know whether or not that the cyberspace you are using is safe and secure and it can be trusted. and so we have to often rely on others to help ensure that safety and security and trust. and so again, one analogy will never always fit, but even things that we would apply in that domain, such as understanding what the risks are, taking action to try to address them, and have him plan
11:30 am
that you can put in place if those risks so, to pass, are probably also appropriate things for us to dialogue and discuss women talk about the supply chain threats. so again, i thank you for the opportunity to provide what i hope was some useful framing discussion for the dialogue that's about to take place. i'm honored to be sitting on the panel with some people who are very thoughtful and enforce the policy in this issue across the board, some of which have had to work on a number of years with. and look for to the dialogue and discussion because again, in supply chain, a complex and important issue and one that will defied a simple solution that will be the diversity of thought that we all bring together to the table that will help make the answer to that solution real and possible. so i appreciate the opportunity and look forward to participating. [applause]
11:31 am
>> dennis, thank you so much and we appreciate your thoughts here. we are also very pleased to have a leopard with us today. he joined the department of defense in 2000 as the deputy assistant secretary to the defense for manufacturing and a duster policy. mr. lambert serves as the principal advisor as understudy for defense for acquisition, technology and logistics on all matters relating to defense and industrial base. 2011 he was worth the security of defense medal for outstanding public service for his work in his current position. prior to joining dod, mr. lambert spent 20 years working on defense intelligence with defense intelligence firms from 1989 until 2007 he'll positions of increasing responsibility at dfi international and national security consultancy firm that he built and founded until he sold in 2007. he served as executive vice president and managing director during that period of time and while at dfi he also that the
11:32 am
companies work with the first year defense firms financial institutions and equity organizations in merger and acquisition market advisory services. he attended graduate school in india, rogue scholarship. he received during his senior year at kansas state university. he also worked for the journalist in the audience. he worked as an independent journalist in india, pakistan and burma. before his time in asia he served in the political military group in center for strategic and international studies. would you welcome defense assistant secretary of defense brett lambert. [applause] >> thank you. i appreciate it. it's too easy. i can't go without saying you've given us food for thought. [laughter] but thanks for a much for having me, and i'm particularly pleased to be here at the potomac institute, both in the private
11:33 am
sector and more so actually since i joined the government about three years i've come to rely on the insights and the papers and the products from the potomac institute, is really a source for unbiased forward leaning thinking on a wide variety of technology issues that often confound us, certainly inside the building. and i don't think they get the daily recognition they deserve, but if it's any consolation i try to steal from their products as often as possible, because they do offer a tremendous amount of insight. and also want to thank you for the loan of steve who is here today, has been our office working on a number of manufacturing issue, particularly as they relate to the supply chain. for this part of it before we get to the q. and a., i also would like to stand back a little bit and tried to frame a specific threat of cyber in a larger context of the overall international base supply chain we face. i look around you and i know
11:34 am
i've spoken to many of you one on one about some of these tough challenges we face with the supply chain, so hopefully when going to say today publicly won't differ from what i told you privately. let me start at the very beginning with an attempt to define the defense and osha-based supply chain. it's a term which is often used both inside and outside of government. but rarely in a way that actually depicts the reality on the ground. the defense industrial base is comprised of extreme of diverse set of companies that provide both products and services directly and indirectly to the national security agency, including the military. references to the defense industrial base that as a monolithic entity are not frankly analytically useful. a defense industrial base lets companies of all shapes and sizes, resources from around the globe for some of the world's most largest public companies, so proprietorships to crotch startups. some companies do directly with the federal government by the
11:35 am
vast majorities of suppliers, subcontractors and providers are in a value chain that leads to those contractors many times 10 or 15 times removed. companies of any size often critical are often hard-pressed -- some products and services are sold by companies in the defense industrial base that are truly unique to the defense applications. but most have substantial levels of nondefense demand or even sold exclusively on commercial terms such as a supplier may not even know that their product is ultimately used in a military system. and likewise the department may not know, it depends by merit on a commercial component. finally, won the pace of innovation is extremely rapid in some segments across the defense industrial base such as i.t., other segments are based on very secure technology or dynamic innovations that is less important to the department. in short, there's no single
11:36 am
defense industrial base. by the defense market data service by deferred selection of companies which reflect the critical economy for goods and services. i'd liken it to the mall of the americas where you anchor stores and big names that you recognize the big names in aerospace and defense, much of a few stores you might recognize as national chains. and then you have literally hundreds of other stores and when you walk by you think to yourself, who the hell would buy from them? the fact is we do. we buy everything. we buy everything from ships to shoestrings, and from services we buy everything from mowing lawns to the highest insider security analysis. what's important about this analogy is that even the stores that are anathema to most, in fact the anti-mall represents just a small portion of the overall supply chain that provides the component and software necessary to stock the shelves of every single component and weapons system we field. the u.s. military superior
11:37 am
operational capabilities are enabled by this diverse base, and for decades the united states has commanded decisively in the quality and quantity of the defense by the research and it didn't conducted globally, and in the military capabilities of products that flow from this work. however, the advantage is that if enabled america's preeminence in defense technology are frankly not a birthright. and a key element of that base are necessary to ensure u.s. dominance on future battlefields must be sustained and nurtured. the u.s. defense industrial base supply chain is critical to equipping our military with superior capabilities and a strong technologically vibrant and, frankly, financially successful supply chain, all the way down and is therefore a national interest. there's one more important truth we have to recognize. at the end of the day, despite spending over a billion dollars a day we and the pentagon to actually build anything. we rely on our national supply
11:38 am
chain to develop, build and ultimately making the goods and services upon which our war fighters lives depend as was the lives of the citizens they defend. so with that in mind let me turn to the three things i see changing the defense industrial base supply chain. simply put, our base is more global, it's more commercial, and is more financially complex. the reality is true today than it was yesterday. and it would be truer to more than it today. the defense industry and the suppliers it is made up of our constantly changing, constantly adapting to department requirements, and conditions set forth in the commercial market place. this evolution is the base brings with a new and difficult challenges, and it begs for a flexible, adaptive approach to the ever-changing reality on the ground. outdated constructs of static or steal industrial base with u.s. government can take a certain assurances are imposed influx world's on our suppliers must
11:39 am
give way to the facts on the ground that our base is no longer single monolithic entity. in the transport supply chain policy must take these facts into account in developing a much more sophisticated and nuanced view of our base as traditional been the case. over all the goods and services the department relies upon reached our deeper into the overall global economy than most in the department appreciate. while there are unique items used solely for us, these items themselves often rely upon a complex and integrated supply chain a product providers, if restricted or compromise as a second, third, fourth or even 10th year would jeopardize even the pure ability to support the war fighter on an ongoing basis. so let's start with the first reality which is our base support globally. we must recognize the implications of this increasingly global marketplace which we operate. more and more the advanced goods and services upon which we rely are produced by firms that were not found in the united states. also challenge is that much of
11:40 am
our supply chain, particularly at the lower tiers and information technology, are provided by firms in countries that are not our closest ally. buying from m.o. global environment fund for us many benefits. it increases competition and reduces cost. it allows for the introduction of new technologies concept. it off and support coalition were fighting efforts or at least makes them less difficult to execute. and we can benefit from the lessons learned and efficiencies gained from other nations whose militaries face difficult financial systems circumstances. moreover, globalization frankly is not an option. it's a reality. but while buying from them or global environment offers many benefits to the department, we must be aware of the significant threat. these include but are not limited to the main and where all here today. the threat of counterfeit or in three parts entering the supply chain, the potential for under relies on components whose
11:41 am
origins are actual configuration may not be fully understood. as well as the risk of leak intellectual property to foreign business and government. when it comes to articulating the real-world risks of a failed to defend a policy on the subject, particularly as it relates to cyberspace, one look no further than the panel that is here with me today to give you a sense of the potential devastating conflict. the second key feature is linked to the one i just described is increasing and many of our segments vital to this segment are commercial in nature. will rely upon commercial design components. this is a transit department is frankly been more willing to recognize in policy than in practice. i would hazard to guess that 25 years ago nearly 70% of the goods and services the department prepared what he felt exclusively for the department. today, i would suggest that the racial has reversed with roughly 70% of the goods and services now i to produce for commercial consumption or originally
11:42 am
developed for a commercial application in mind. as was a largely commercial base supply chain. this is a very difficult concept for many and a business to get their arms around. frankly, the department is much more comfortable in the dog, not the tail of a market. this attitude is not helpful when we discuss the various ways to understand or track our supply chain. simply put, the old standby remedy to most supply chain concerns simply won't work in the modern global and commercial environment. yet we must adjust to do with the new reality. as i stated before, despite our financial resources the in the department built a little bit our international base both military and commercial. at the department simply can't afford to dominate our prop up every important domestic industry upon which we rely all the way through the supply chain. it's simply not economically feasible or strategically desirable. trusted boundaries are -- i'm not even going to get started on
11:43 am
that. maybe in the q&a. that dod will certainly continue to rely and support niche element of international base of the supply chain is critical to our national security, that we must better understand precisely what these critical elements a are. then buying from commercial firms, secured commercial firms when warranted and allows us to save money, to dedicate and supporting those items and supply chain that will never find a commercial market place. bubut in corporate and commercil products and the defense arsenal is not without its own sets of challenge. incorporate more commercial firms to the supply chain means breaking a many of the bureaucratic barriers to entry which still exist in the department. and i recognize the font management of commercial copies are often put off, particularly in the telecommunications market, by the political and government complexities of working in the department, both regular and buyers, believing, this occupies a lot of my time
11:44 am
to i try to remind these executives again primarily telecommunications companies that while uncle sam may not be your favorite uncle, he is by far the single richest one you will ever know. even in these trying fiscal times. to encourage more commercial innovation, the department is striving to have more commercial products whenever possible and adopting commercial standards as a means of securing the supply chain. we must do a better job of not so by accepting the without fully understanding them appreciating, and mitigating the risk of such approach. notches to her and product but throughout the entire supply chain. moreover, we must understand the dichotomy of this approach and hazards associated with the. on the one hand, the key attribute allows for steady long-term supply, tell us what steady long-term supply base and supply chain are the high barriers to entry our market sometimes imposes. if we lower those barrie for all the right commercial and technological reasons, access to
11:45 am
more advanced technology, increased competition, we do so at the risk of disrupting that which has made some of our industry unique, and opens it up to those manufactures and supply chain's who of short-term interest for which the department may be justifiably considering. the third trend which won't spend time on today in our industrial base but i would at least like to highlight is the growing complexity and importance of the financial sector. again, from ships tissues can. the financial can has a final and -- to ensure the health and viability of the entire supply chain. from a small technology started to the big venture funding to the debt markets which support our base to access the capitalist program, ensuring the entire supply chain simply could not survive without access to capital. and it is a case with our supply chain chile, the financial sector is becoming more complex,
11:46 am
more global and more problematic by today. the common theme running through all of these trends is the ever-increasing complexity of our race and of our supply chain. those are the facts on the ground. the problem is not getting easier. in fact, it is becoming more complex by today. i look forward to getting the image is too big back to the department during our discussion. [applause] >> brent, thank you so much. i'm sorry that roberta was not able to be with us today. and i might mention to this is not the only one of these types of symposium we're going to. we kind of concentrate on government is that the next time we may have more industry, but maybe bobby stampley can join us at that one and you could look forward to that in the future. right now we're so pleased to
11:47 am
have melissa hathaway with the, president of halfway global strategies, someone who -- her company now brings multi-institutional perspective to strategic consulting, strategic formulation of public and private sector clients for her client. she's got an eye watering resume. i'm going to mention a few things from it and i understand. she has been on the board of directors, a member of the council of experts for the global cybersecurity in italy. them in the strategic advisory board in boston, it goes on and on like the. ms. hathaway also provides strategic device to the government here and throughout the world, interval, numerous other governments. she has worked in participating
11:48 am
and contributed a joint mit harvard project developing methods to measure model, responses in cyberspace. she's also a regular guest lecturer at both universities. from 2009 to august 2009, she served in the obama administration as acting city director for cyberspace for national student council. in that capacity she assembled a team of experienced cyber experts to conduct a 60 day review of cyberspace policy review. in may 2000 the president presented a blueprint and under ms. hathaway's leadership conducted the review, it was tremendous work on it. she continued to do things. she worked in the bush administration, many things, recognized as an expert in this world. so we are very pleased to have with us, and please welcome
11:49 am
melissa hathaway. [applause] >> thank you, jamie. and i'm very honored to be here at the potomac institute. mike, thank you for your leadership in this area. the institute is really known for translating complex technology issues, and to more simple terms, for the policymakers, and the potomac institute is a strong part of us working in the bush administration to help us have a neutral ground, have this conversation about cybersecurity and the need of the nation. and help us with forward-looking policy perspective, so thank you again for hosting this debate. and i'm not sure how i can follow them. they were amazing, so i'm going to take a look at of a different perspective, and talk about the
11:50 am
supply chain for maybe historical and then today, and hoping -- [inaudible]. i'm going to start with a little bit of history and really fast forward it. back in 1969, in october, not two days away from the anniversary, the very first transmission of the internet. and october 29, 1969. and that was really the beginning of the open of a lot of the conversations we're having today. [inaudible] on the internet today. and it became more and more of a reality as we developed and enhanced technology, in 1985, we
11:51 am
opened up and created the dot com domain, and in it became a platform for e-commerce and essential services. in 1985 and at that we have the world wide web. now you can search for information and enabling more and more information communication technology innovation. in the coming years our government has embraced that for the hope of the economic growth, activity that it has enabled. and we started to put more and more of our special services on to the backbone of the internet. today, we have the bank and e-commerce all on the internet. we're moving toward a future of having our energy distribution, smart grid that is connected to the internet. we are moving to a generation of
11:52 am
next-generation aviation and air traffic control that is controlled by the internet and over the internet. so we have moved so much are essential services onto the internet, and one has to ask is that what it was designed for, and is it secure or what we need for in the future? this brings about three tensions. i'm going to try to stick to three. three tensions that are in the technology world. the first is we are seeing attention and need from an economic policy to stimulate the economy for national security. the economic growth that the promises our country is measure cleared at 4% gdp growth. that's the small -- that's what the g20 countries are expected. developing nations are expecting
11:53 am
to contribute as much as 10% of the gdp growth. so we're going to continue to embrace the internet and the e-economy in order to drive the growth was it his job growth and productivity growth, efficiency. in indiana states were expected to leave as much as 40% by adopting that icc technology and embedding the next generation technology into infrastructures and our enterprise. the second tension then as an evolution from the first. and that's what we're talking about infrastructure modernization for critical infrastructure protection. infrastructure modernization is where we're actually moving more and more of these essential services to the internet-based backbone. whether it is smart grid, whether it's water dish addition to whether it's oil and gas distribution. whether it's aviation system. most are essential services are
11:54 am
embracing and embedding the next generation technologies. on the other side of government policy perspective, we are looking for how do we ensure that critical infrastructure protections so that if we can, in fact, deliver the services that they are not vulnerable to attack, through the internet, or over and through the supply chain. and how do you manage those threats? and those risks are to be coming into standards, minimum standards of care and the discussion that we're talking, that is happening all around the world. should we regulate these infrastructures and these businesses more to deliver a minimum standard of care because of the vulnerability that had been adopted through the itc giving. the third tension from technology and policy perspective then comes down to who's in charge. is a public sector or is it the private sector? the public sector appears to actually contribute to public
11:55 am
safety, economic well being, and overall national sovereignty our national security. they are responsible, the government is responsible for ensuring that we have those essential services delivered to us. but at the end of the day, it's all about private sector. the private sector designs, builds, delivers and operates all of those infrastructures. and is in the event there was a problem, the private sector is responsible for the actual recovery and restoration of that infrastructure. so then comes the policy debate. we have both are in charge, one is responsible for assuring citizens safety of those essential services, and the other is responsible for really delivering it. so how do you actually can make the policy a reality? i'm going to talk to those ask for as we look at, as we need a mix of policy, leaders and market leaders, and we need to
11:56 am
take a broad look at what that is to ensure our competitors in this global environment. and i can talk to the mix of market levers that we need. so from there, that history, i'm going to talk a little bit about the supply chain and how this comes together. the supply chain management is about the movement of raw material's into an organization, the internal processing of those materials into finished goods, and the distribution of finished goods to the end customer. again, three processes. supply team professionals and those of us who have to work with them, we design and manage the product, the information of the financial flow that businesses, all businesses run on today. again, another three. today, companies worldwide are leveraging those supply chains, that global supply chain and those mix of processes and procedures to gain competitive
11:57 am
advantage. competitive advantage might be the raw material actually exist in another country. the competitive advantage might be the price point for labor is cheaper in another country. and the advantage could be the fact of the product or the integration of that is easier to assemble and to integrate in another country because of their environmental laws or other laws are more supportive of a needs of their businesses, and to deliver products to market. so with that, then we are looking at another set of tensions. we are expecting the global supply chain to be available at all times, to enable common itc perspective, our confidentiality of our businesses, and then we're demanding that those products maintain their integrity. so it's no mistake that i'm
11:58 am
using confidentiality and integrity and availability of information assurance because that's in many ways what we are talking about of the three tenets of information assurance where we are now worried about the integrity of the products come into our global supply chain that might compromise businesses confidentiality and/or the overall availability of those essential services of all of those essential services and businesses. so the globalization of i.t. hardware and software, and i must point out that hardware is what a lot of software behind the actual stuff, is that the products are being built, delivered, maintain, upgrade all around the world, and they are vulnerable to opponents who wish it harm. the global commercial supply chain provides adversaries, or the supposed with greater opportunities to manipulate the product from design through its entire product lifecycle. and adversaries that may have
11:59 am
access to those particular networks or are designed to have access, wanting access, to whatever part of the target is a target-rich environment. and so, we need to recognize that there's a whole process involved. many of the times when we are taught not supply chain risk management, we are talking about and thinking about once we got that product to market, now how do we secured? that there's a whole evolution of roles and its possibilities of that product lifecycle and supply chain. the design. we can have data providers that are using industry-leading best practices, sometimes that's what we're talking about. it goes to brad's point of the anchor tenants. we talk about manufacturing. and the manufacturing should employ service-level agreements that are related to quality and security. and sometimes we talk about it must be indigenously

U.S. Senate
CSPAN September 28, 2012 9:00am-12:00pm EDT


TOPIC FREQUENCY Us 35, U.s. 21, Washington 9, China 9, Cyberspace 9, Nebraska 8, Julian Assange 7, Wisconsin 6, Catherine 6, Jim Bell 5, United States 5, Tommy Thompson 4, Alexander 4, America 4, Nsa 4, Tammy Baldwin 4, Dennis 3, Michael Swetnam 3, Thompson 3, Cisco 3
Network CSPAN
Duration 03:00:00
Scanned in San Francisco, CA, USA
Source Comcast Cable
Tuner Channel 91 (627 MHz)
Video Codec mpeg2video
Audio Cocec ac3
Pixel width 704
Pixel height 480
Sponsor Internet Archive
Audio/Visual sound, color

disc Borrow a DVD of this show
info Stream Only
Uploaded by
TV Archive
on 9/28/2012